Organizations are under increasing pressure from
shareholders, regulators, and other key stakeholders to report on
environmental, social, and governance (ESG) issues. The movement to accurately
measure and report the impacts that organizations have on the environment,
climate, natural resources, workforce, and community (and their related ethical
implications) is rapidly changing how the public interacts with and values
businesses and government institutions.
The business world is clearly responding. In 2011, 20% of
companies on the S&P 500 issued reports related to sustainability,
according to the Governance & Accountability Institute. Today, that number is
90%. It is not surprising, then, that measuring the accuracy of this new
discourse has come under increased regulatory scrutiny.
The U.S. Securities and Exchange Commission (SEC) announced on
March 4 that it has created a 22-member Climate and ESG Task Force within the
Division of Enforcement to monitor how organizations report their climate- and
ESG-related disclosures to investors. Based on that announcement, it is clear
the task force is focused on enforcing reporting rules.
“Proactively addressing emerging disclosure gaps that
threaten investors and the market has always been core to the SEC’s mission,”
Acting Deputy Director of Enforcement Kelly L. Gibson, who will lead the task
force, said in the SEC’s statement. “This task force brings together a broad
array of experience and expertise, which will allow us to better police the
market, pursue misconduct, and protect investors.”
Internal auditors are well-positioned to support their
organizations in this evolving risk area. While most regulations on ESG reporting
are relatively new, the processes for evaluating the effectiveness and
efficiency of any regulatory compliance regime are well-established — validating
that reporting processes are complete, accurate, timely, and relevant.
The first step should be for internal auditors to update
their risk assessments in this area and consult with stakeholders on the board
and in the C-suite on whether changes are needed in the audit plan. The IIA published an IIA Bulletin on this subject this week to support its members.
The SEC’s action provides a prime example of the importance
of two issues that have I written about repeatedly over the years. First, the
speed or velocity of risk is increasing. For many organizations, ESG was not on
the radar as little as five years ago. Today, it is quickly rising as a top
risk with regulatory, reputational, ethical, shareholder, and operational
However, internal auditors may not yet be in the best
position to support their organizations on this complex risk overall. According
to The IIA’s OnRisk 2021
report, “All parties are reasonably well-aligned with regard to organizations’
capability to manage environmental, social, and governance risks, which collectively
comprise sustainability. However, confidence is fairly low. CAEs rate their
personal knowledge about this increasingly relevant risk category as very low.”
The second is agility. Internal auditors must be ready, not
just to respond quickly to changing stakeholder demands on risk assurance, but
to lead the way when risk assessments show changes to likelihood and impact.
The SEC’s new zeal to “better police the market, pursue misconduct, and protect
investors” is a clear call for internal auditors to inform and educate
stakeholders on this evolving regulatory risk.
Beyond the immediate response to changing regulatory risks
related to ESG, internal audit leaders should firmly establish their role on
the issue within their organization. Last month, The IIA contributed a letter
to a hearing of the U.S. House of Representatives Committee on Financial
Services titled, “Climate Change and Social Responsibility: Helping Corporate
Boards and Investors Make Decisions for a Sustainable World.” In that letter, I
made the case for internal audit playing a critical role in sustainability
beyond simple assurance on reporting.
“While worthwhile, that narrow view fails to address the
natural inhibitors to organizations to do more to comprehensively tackle this
critical issue,” according to the letter. “Internal audit, as an objective and
independent provider of assurance and advice with the purpose of continuous
improvement, is ideally positioned to help organizations find the motivation
and the means to embrace and incorporate sustainability measures that can
advance both organizational performance and broader social, economic, and
Indeed, internal auditors are
generally tasked with supporting management of key operational risk areas,
including strategic, legal, and compliance, which historically account for up
to 80% of an organization’s risk portfolio.
Internal audit cannot find
itself on the outside looking in on such critical risks. It must improve its
understanding of this issue by educating practitioners about emerging risks
related to sustainability and how it fits
into an organization’s operational and strategic priorities. It also must
clearly articulate the value of “independent assurance” on ESG reporting, as
regulators focus increasingly in this area.
As always, I look forward to